Wednesday, October 17, 2007

Securing your (wireless) router

If you have managed to configure your router successfully and know how to use the web interface of your router there are a few things you should always do to secure your router against intruders and others. Again: please do those changes only from a computer wired to the router and not through the wireless!

Change the default password of the router configurationThis password protects the web interface of the router. Anyone who knows this password and can get access to your router can make changes on the router configuration. Most routers use a fixed default password like "admin" or "password. Therefore it is usually a good idea to change this default password to a strong hard-to-guess password. You should also do this on a wired router even if you think no one will be able to (physically) access your router. One day you may run into some malware which is clever enough to configure some port forwarding on your router to be accessible from the internet. For this, the password is required. Thus, please change it!

The rest of this entry only applies to wireless routers (or access points in this respect).

Change the SSID (wireless network name) to something uniqueLike the default password many wireless routers use a default wireless network name (SSID, e.g. "linksys" or "NETGEAR") and have no wireless security set up. You should change this to something unique, i.e. not used by any other wireless network in your proximity. Some routers use a part of their MAC address as SSID (e.g. "0DA53B4C". This would be O.K. as it is unique although certainly harder to remember and somewhat cryptic. The reason why it is important to have a unique SSID is to make sure that your computer will always connect to your wireless router and not to your neighbor's. This is always important even if you have wireless security enabled. Running the same SSID as somebody else may result in delays or disconnects on your wireless links because your laptop sometimes confuses the wireless router to which it is talking and gets disconnected until it finds back to your own router. Therefore: change the SSID to something unique. It is a good idea to scan your neighborhood with your laptop to see what SSIDs they use. Use a nickname or something like that for your SSID.

Enable wireless security.Without wireless security all wireless transmissions are in plaintext. Anyone in your proximity can eavesdrop on you and find out which hosts you access, web sites you read and possibly even read your e-mails if you don't use an encrypted connection to your e-mail server. Without wireless security only connections using SSL (e.g. https websites, pop3s, or imaps mail servers) are secured. Nothing else. DNS host name resolution happens unencrypted thus anyone is able to see which hostnames you access and the IP addresses. Without wireless security it is extremely simple to setup a rogue wireless router with the same SSID as yours and with a little bit boosted transmitter your computers will connect to the rogue router giving full access to everything transferred. Your computer will simply connect to the best signal of an access point with your SSID.

Therefore: you have to enable wireless security. Anything else is not secure. In most new routers you have 4 basic choices: WPA2, WPA, WEP 104/128 bit, and WEP 40/64bit. WEP is considered insecure as it can be cracked within minutes and an attacker is able to find out your WEP keys quickly. WPA and the new (fully standardized) WPA2 are both considered secure at this time. Therefore, it is highly recommend to use WPA or WPA2 wireless security to protect your network. With WPA and WPA2 all your transmissions are strongly encrypted and also the access to your wireless network is well protected.

For each of those four choices you usually find at least two variants: one targeted for private and small networks and one targeted for enterprises. The latter require additional servers like RADIUS servers which you usually don't have in your home network. Enterprise variants allow user-based access control to the wireless network. Thus you usually have to stick with the easier variant for home networks which use predefined/fixed/pre-shared keys or passphrases. If you are unsure how the variants are labeled on your router simply try them and see what information you have to enter for each variant. If you have to enter some (RADIUS) server address it is probably a enterprise variant.

If it is WPA or WPA2 what you want to use you should look for the "Personal" or "PSK" variant. For WPA there is sometimes only the choice of the encryption algorithm used: TKIP or AES. TKIP is the encryption algorithm for WPA. AES is the (little bit stronger) encryption algorithm for WPA2. Thus WPA with AES is basically WPA2 and WPA with TKIP is normal WPA. WPA2 is backward compatible and can be configured to accept older WPA clients and newer WPA2 clients, i.e. clients that use either TKIP or AES. If you have some wireless clients which only know WPA with TKIP you should configure WPA2 with AES+TKIP. This will automatically select the strongest AES encryption with wireless clients which support it and will select the (not less secure) TKIP encryption for those which don't. As both encryption algorithms are considered very secure it does not affect your security of the wireless network.

The last thing to enter for WPA or WPA2 with pre-shared key/passphrase is the passphrase. The passphrase must be between 8-63 characters long. The overall security of your wireless network depends on the quality of your passphrase. Potential attacks against your network basically have to try different passphrases hoping to find the correct one in reasonable time. Thus if your passphrase is just a simple word like "password" it is more vulnerable to brute-force dictionary attacks. Thus a wireless network should be protected with a longer, strong, hard-to-guess passphrase. In general, you only have to enter the passphrase once on your wireless devices and then the device will remember it for future connections. This makes it easier to employ 63 character long random generated passphrases in a wireless network. You can either simply copy the key from the router interface while the computer is still wired to the router or you use a USB stick to copy the key to the laptop.

Again: you should not use WEP anymore. It is considered insecure and quickly cracked. If you use WEP, make sure that you do not use the passphrase/password on the computers to connect to your wireless router. The passphrase is only used to generate the real encryption keys (usually four of them). The algorithm how to derive the keys from the passphrase it not standardized (unlike WPA/WPA2 where it is standardized) thus different manufacturers do it differently. You better copy the WEP key to your computer. Use the first key in the list of four and make sure that the first key is selected as transmit key on the router if it allows this setting. The easiest way to copy the key is to use the hexadecimal representation. Hexdigits consists of numbers 0-9 and letters A-F. A WEP key in hexdigits is either 10 or 26 characters long. WEP 40/64bit keys have 10 hexdigits. WEP 104/128bit keys have 26 hexdigits. Hexdigits are the easiest way to enter the key correctly.

4 comments:

In this excellent entry you didn't mention that some (my) router (Linksys WTR54G) comes with a blank admin name. First, why is the name blank? Second, when strengthening the password is there any reason to set up a user name (assuming you can)?

I think most cheap routers use fixed user names like "admin" or "root". You can only change the password. Linksys does not use any user name at all. Why they do it? It don't know. I guess it is because of simplicity. If people were able to change the user name as well some may forget it after a while and are locked out. Some people already have a hard time remembering a single router password.

You didn't mention anything in your blog about SSID broadcast or channels. From what I've read there appears to be agreement that not broadcasting is a good idea unless you are a wireless hotspot. I understand it doesn't provide much security, but is there a reason (like performance) to leave broadcasting enabled or is it just good practice to turn broadcasting off?

The SSID broadcast and the wireless MAC address filter are often good for lengthy discussions. I have just added a a new blog entry on this topic as it is of more general interest I think.

Regarding the channels I don't really think the choice of channels provides you with security unless you have a 802.11a compatible router as 802.11a is not so commonly used then 802.11b/g/n. If you configure your router to use the 11a band only you may be able to lock out quite a few wireless clients which are not 11a compatible. But I am not sure how many standard wireless cards nowadays also supports 11a. My new laptop came with a 11a/b/g/n compatible card. There was no option to get a cheaper non 11a compatible card...